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PO Box 1450 

Alexandria, VA 22313-1450 
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Disclosure Statement under 37 CF.R. 1.56 and 1.98 

Pursuant to 37 CFR § 1.56 and MPEP § 2001.06(c), the documents listed on the 
attached form PT0-1449 are disclosed. 

Pursuant to 37 CFR § 1.98(a), the documents listed on the attached form PTO- 
1449 are submitted herewith. The Information Disclosure Statement submitted 
herewith is being filed after the period specified in 37 CFR 1.97(c), but on or 
before payment of the issue fee and is accompanied by the statement and fee as 
indicated below. The Commissioner is hereby authorized to charge counsel's 
Deposit Account No. 20-0782/SRI/4 190-3 for the fee set forth in 37 CFR 1.17(p), 
as well as any other fees required to make this response timely and acceptable 
to the Office. 
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Internet Security Systems et al. currently pending in the U.S. District Court for the 
District of Delaware, case number 04-1199-SLR. The interrogatories relate to 
the defendants* allegations of inequitable conduct and to the validity of U.S. 
Patents 6,711,615, 6,484,203, 6,321,338, and 6,708,212. 

The documents listed as C1 through C51 on the attached form PTO-1449 are the 
defendants' interrogatory responses and exhibits thereto. The documents listed 
as C52 through C55 are the plaintiffs (Applicants') responses, including a 
rebuttal of the defendants' allegations of invalidity. The remainder of the 
documents provided herewith represent the art referenced in the defendants' 
responses that is not already of record in the present Application. 

The final exhibit of each defendant's responses (/.e., documents C25 and C49) 
alleges that the combination of an exceptionally large number of documents 
renders the patents in suit obvious. In order to avoid overly burdening the 
Examiner with this large volume of additional material, the Applicants have not 
provided copies of these references unless they are referenced eisewhere in the 
exhibits, or already of record in the present Application. However, the Applicants' 
representative will be more than happy to provide any or all of these references if 
the Examiner believes it necessary. 

The Examiner's attention is directed to the fact that certain portions of the 
documents submitted herewith (particularly, certain portions of the defendant's 
invalidity contentions) are marked as subject to a protective order. The portions 
of the documents so marked include citations from an unpublished, internal and 
confidential document authored by the Applicants entitled "Conceptual Design 
and Planning for EMERALD: Event Monitoring Enabling Responses to 
Anomalous Live Disturbances" dated 20 May, 1997. This document has never 
been published or made available to the public, and as such cannot be prior art 
or otherwise material to patentability, and is not cited on the attached form PTO- 
1449. The Applicants do not object to the inclusion of the cited portions of this 
document, as recited in the defendant's invalidity contentions, in the official file 
wrapper maintained by the Office. 

Further, two documents referenced by the defendants in their contentions are 
marked as "For Official Use Only": (i) u Netranger Realtime Network Intrusion 
Detection Performance and Security Test, DoD/SPOCK including appendices A, 
B, and C, April 30 1997 and (ii) "Product Security Assessment of the Netranger 
Intrusion Detection Management System Version 1.1", Air Force Information 
Warfare Center, February 1997. The Applicants are investigating the validity of 
these government markings and are unable at present to provide the Examiner 
with copies thereof. If it is determined that these markings are no longer 
appropriate, the Applicants will provide copies to the Examiner. 
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C18 


EXHIBIT A-16 TO THE SYMANTEC CORPORATION'S SECOND SUPPLEMENTAL RESPONSES TO SRI 
INTERNATIONAL, INC.'S INTERROGATORIES NOS. 6 AND 1 1 , HARRIS CORPORATION. "STAKE OUT 
NETWORK SURVEILLANCE", STAKE OUT NETWORK SURVEILLANCE INVALIDATES THE INDICATED 

CLAIMS UNDER 35 U.S.C. § 102 (b), pp.1-12, November 15, 2005. 
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EXHIBIT A-17 TO THE SYMANTEC CORPORATION'S SECOND SUPPLEMENTAL RESPONSES TO SRI 
INTERNATIONAL, INC.'S INTERROGATORIES NOS. 6 AND 1 1 , HP OPENVIEW FOR WINDOWS USER 
GUIDE, TIP OPENVIEW", HP OPENVIEW AND THE INTERNET STANDAkuS iNVALiDAlETHE INDICATED 

CLAIMS UNDER 35 U.S.C. § 102 (b) AND/OR 103, pp.1-29, November 15, 2005. 






C20 


EXHIBIT A-18 TO THE SYMANTEC CORPORATION'S SECOND SUPPLEMENTAL RESPONSES TO SRI 
INTERNATIONAL, INC.'S INTERROGATORIES NOS. 6 AND 11, INTERNETWORK SECURITY MONITOR, 
"ISM", ISM AND DIDS INVALIDATE THE INDICATED CLAIMS UNDER 35 U.S.C. § 102 (b) OR 103, pp. 1-80, 
November 15, 2005. 
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EXHIBIT A-19 TO THE SYMANTEC CORPORATION'S SECOND SUPPLEMENTAL RESPONSES TO SRI 
INTERNATIONAL, INC.'S INTERROGATORIES NOS. 6 AND 11, EMERALD 1997, INTRUSIVE ACTIVITY 1991, 
NIDES 1994, EMERALD 1997, INTRUSIVE ACTIVITY 1991, AND NIDES 1994 INVALIDATE THE INDICATED 

CLAIMS UNDER 35 U.S.C. § 102 (b) AND/OR 103, pp. 1-53, November 15, 2005. 
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EXHIBIT A-20 TO THE SYMANTEC CORPORATION'S SECOND SUPPLEMENTAL RESPONSES TO SRI 
INTERNATIONAL, INC.'S INTERROGATORIES NOS. 6 AND 11, NETSTALKER AND HP OPENVIEW, 
NETSTALKER AND HP OPENVIEW INVALIDATE THE INDICATED CLAIMS UNDER 35 U.S.C. § 102 (b) 
AND/OR 103, pp.1 -32, November 15, 2005. 






C23 


EXHIBIT A-21 TO THE SYMANTEC CORPORATION'S SECOND SUPPLEMENTAL RESPONSES TO SRI 
INTERNATIONAL, INC.'S INTERROGATORIES NOS. 6 AND 1 1 .NETWORK FLIGHT RECORDER, NETWORK 
FLIGHT RECORDER INVALIDATES THE INDICATED CLAIMS UNDER 35 U.S.C. § 102 (b) AND/OR 103, pp. 
1-53, November 15, 2005. 
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EXHIBIT A-22 TO THE SYMANTEC CORPORATION'S SECOND SUPPLEMENTAL RESPONSES TO SRI 
INTERNATIONAL, INC.'S INTERROGATORIES NOS. 6 AND 11, AUTOMATED INFORMATION SYSTEM "AIS", 
AIS INVALIDATES THE INDICATED CLAIMS UNDER 35 U.S.C. § 102 (b), pp. 1-21, November 15, 2005. 
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EXHIBIT A-23 TO THE SYMANTEC CORPORATION'S SECOND SUPPLEMENTAL RESPONSES TO SRI 
INTERNATIONAL, INC.'S INTERROGATORIES NOS. 6 AND 11, COMPARISON OF LISTED PUBLICATIONS 
TO CLAIMS -AT-ISSUE OF SRI'S PATENT-IN-SUIT FOR 35 U.S.C. § 103, pp. 1-57, November 15, 2005. 
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SUPPLEMENTAL RESPONSES AND OBJECTIONS OF ISS-GA AND ISS-DE TO SRI'S INTERROGATORY 
NOS 6 & 11, SRI International, Inc., a California Corporation v. Internet Security Systems Inc., a Delaware 
Corporation, Internet Security Systems, inc., a Georgia Corporation, and Symantec Corporation, a Delaware 
Corporation, pp. 1-22, Certificate of Service dated November 15, 2005 
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EXHIBIT 1 TO THE SUPPLEMENTAL RESPONSES AND OBJECTIONS OF ISS-GA AND ISS-DE TO SRI'S 
INTERROGATORY NOS 6 & 11, EMERALD 1997 INVALIDATES THE INDICATED CLAIMS UNDER 35 U.S.C. 

§ 102 (b), pp.1-60, November 15, 2005. 
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EXHIBIT 2 TO THE SUPPLEMENTAL RESPONSES AND OBJECTIONS OF ISS-GA AND ISS-DE TO SRI'S 
INTERROGATORY NOS 6 & 11, CMAD INVALIDATES THE INDICATED CLAIMS UNDER 35 U.S.C. § 102 (b) 
AND/OR 103,pp 1-27, November 15, 2005. 
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EXHIBIT 3 TO THE SUPPLEMENTAL RESPONSES AND OBJECTIONS OF ISS-GA AND ISS-DE TO SRI'S 
INTERROGATORY NOS 6 & 11, EMERALD CONCEPTUAL OVERVIEW INVALIDATES THE INDICATED 

CLAIMS UNDER 35 U.S.C.§ 102 (b) AND/OR 103, pp. 1-35, November 15, 2005. 
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EXHIBIT 4 TO THE SUPPLEMENTAL RESPONSES AND OBJECTIONS OF ISS-GA AND ISS-DE TO SRI'S 
INTERROGATORY NOS 6 & 11, CONCEPTUAL DESIGN AND PLANNING FOR EMERALD: EVENT 
MONITORING ENABLING RESPONSES TO ANOMALOUS LIVE DISTURBANCES VERSION 1.2, 20 May 

1997INVALIDATE THE INDICATED CLAIMS UNDER 35 U.S.C.§ 102 (b) AND/OR 103, pp. 1-58, November 15, 
2005. 
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EXHIBIT 5 TO THE SUPPLEMENTAL RESPONSES AND OBJECTIONS OF ISS-GA AND ISS-DE TO SRI'S 
INTERROGATORY NOS 6 & 1 1, LIVE TRAFFIC ANALYSIS INVALIDATES THE INDICATED CLAIMS UNDER 

35 U.S.C. § 102 (b), PP. 1-52, November 15, 2005. 
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EXHIBIT 6 TO THE SUPPLEMENTAL RESPONSES AND OBJECTIONS OF ISS-GA AND ISS-DE TO SRI'S 
INTERROGATORY NOS 6 & 11, NEXT-GENERATION INTRUSION DETECTION EXPERT SYSTEM (NIDES): A 
SUMMARY INVALIDATES THE INDICATED CLAIMS UNDER 35 U.S.C.§ 102 (b), pp. 1-47, November 15, 2005 
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EXHIBIT 7 TO THE SUPPLEMENTAL RESPONSES AND OBJECTIONS OF ISS-GA AND ISS-DE TO SRI'S 
INTERROGATORY NOS 6 & 11, JI-NAO INVALIDATES THE INDICATED CLAIMS UNDER 35 U.S.C.§ 102 (b), 
pp. 1-1 00, November 15, 2005 
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EXHIBIT 8 TO THE SUPPLEMENTAL RESPONSES AND OBJECTIONS OF ISS-GA AND ISS-DE TO SRI'S 
INTERROGATORY NOS 6 & 11, NSM INVALIDATES THE INDICATED CLAIMS UNDER 35 U.S.C. § 102 (b), 
pp.1-17, November 15, 2005. 








EXHIBIT 9 TO THE SUPPLEMENTAL RESPONSES AND OBJECTIONS OF ISS-GA AND ISS-DE TO SRI'S 
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pp. 1-1 14, November 15, 2005. 
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EXHIBIT 10 TO THE SUPPLEMENTAL RESPONSES AND OBJECTIONS OF ISS-GA AND ISS-DE TO SRI'S 
INTERROGATORY NOS 6 & 11, ISM AND DIDS INVALIDATE THE INDICATED CLAIMS UNDER 35 U.S.C. § 
102 (b) OR 103. pp.1-91, November 15, 2005. 
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EXHIBIT 1 1 TO THE SUPPLEMENTAL RESPONSES AND OBJECTIONS OF ISS-GA AND ISS-DE TO SRI'S 
INTERROGATORY NOS 6 & 11, GriDS INVALIDATES THE INDICATED CLAIMS UNDER 35 U.S.C.§ 102 (b), 
pp.1 -41, November 15, 2005 
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EXHIBIT 12 TO THE SUPPLEMENTAL RESPONSES AND OBJECTIONS OF ISS-GA AND ISS-DE TO SRI'S 
INTERROGATORY NOS 6 & 11, NETRANGER INVALIDATES THE INDICATED CLAIMS UNDER 35 U.S.C § 
102(b), pp.1-32, November 15,2005. 






C39 


EXHIBIT 13 TO THE SUPPLEMENTAL RESPONSES AND OBJECTIONS OF ISS-GA AND ISS-DE TO SRI'S 
INTERROGATORY NOS 6 & 11, REALSECURE INVALIDATES THE INDICATED CLAIMS UNDER 35 U.S.C.§ 
102 (b), pp. 1-21, November 15, 2005. 
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EXHIBIT 14 TO THE SUPPLEMENTAL RESPONSES AND OBJECTIONS OF ISS-GA AND ISS-DE TO SRI'S 
INTERROGATORY NOS 6 & 11, THE NETWORK FLIGHT RECORDER SYSTEM INVALIDATES THE 
INDICATED CLAIMS UNDER 35 U.S.C. § 102 (b) AND/OR 103, pp.1-73, November 15, 2005. 
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EXHIBIT 15 TO THE SUPPLEMENTAL RESPONSES AND OBJECTIONS OF ISS-GA AND ISS-DE TO SRI'S 
INTERROGATORY NOS 6 & 11. NETSTALKER AND HP OPENVIEW INVALIDATE THE INDICATED CLAIMS 

UNDER 35 U.S.C. § 102 (b) AND/OR 103, pp.1 -21, November 15, 2005. 
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EXHIBIT 16 TO THE SUPPLEMENTAL RESPONSES AND OBJECTIONS OF ISS-GA AND ISS-DE TO SRI'S 
INTERROGATORY NOS 6 & 11, HP OPENVIEW AND THE INTERNET STANDARDS INVALIDATE THE 

INDICATED CLAIMS UNDER 35 U.S.C. § 102 (b) AND/OR 103, pp.1-26, November 15, 2005. 
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EXHIBIT 17 TO THE SUPPLEMENTAL RESPONSES AND OBJECTIONS OF ISS-GA AND ISS-DE TO SRI'S 
INTERROGATORY NOS 6 & 11," NETWORK LEVEL INTRUSION DETECTION SYSTEM" (AUGUST 1990) 

INVALIDATES THE INDICATED CLAIMS UNDER 35 U.S.C. § 102 (b), pp. 1-22, November 15. 2005. 
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EXHIBIT 18 TO THE SUPPLEMENTAL RESPONSES AND OBJECTIONS OF ISS-GA AND ISS-DE TO SRI'S 
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INDICATED CLAIMS UNDER 35 U.S.C. § 102 (a) and 102 (e), pp.1-21, November 15, 2005. 
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EXHIBIT 19 TO THE SUPPLEMENTAL RESPONSES AND OBJECTIONS OF ISS-GA AND ISS-DE TO SRI'S 
INTERROGATORY NOS 6 & 11," FAULT DETECTION IN AN ETHERNET NETWORK VIA ANOMALY 

DETECTORS" INVALIDATES THE INDICATED CLAIMS UNDER 35 U.S.C. § 102 (b), pp. 1-17, November 15, 
2005. 
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EXHIBIT 20 TO THE SUPPLEMENTAL RESPONSES AND OBJECTIONS OF ISS-GA AND ISS-DE TO SRI'S 
INTERROGATORY NOS 6 & 11, STAKE OUT NETWORK SURVEILLANCE INVALIDATES THE INDICATED 

CLAIMS UNDER 35 U.S.C. § 102 (b), pp.1-24, November 15, 2005. 
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EXHIBIT 21 TO THE SUPPLEMENTAL RESPONSES AND OBJECTIONS OF ISS-GA AND ISS-DE TO SRI'S 
INTERROGATORY NOS 6 & 11, EMERALD 1997, INTRUSIVE ACTIVITY 1991, AND NIDES 1994 INVALIDATE 

THE INDICATED CLAIMS UNDER 35 U.S.C. § 102 (b) OR 103,pp. 1-62, November 15, 2005. 
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EXHIBIT 22 TO THE SUPPLEMENTAL RESPONSES AND OBJECTIONS OF ISS-GA AND ISS-DE TO SRI'S 
INTERROGATORY NOS 6 & 11, AUTOMATED INFORMATION SYSTEM - AIS INVALIDATES THE INDICATED 

CLAIMS UNDER 35 U.S.C. § 102 (b), pp. 1-15, November 15, 2005. 
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EXHIBIT 23 TO THE SUPPLEMENTAL RESPONSES AND OBJECTIONS OF ISS-GA AND ISS-DE TO SRI'S 
INTERROGATORY NOS 6 & 11, COMPARISON OF LISTED PUBLICATIONS TO CLAIMS-AT-ISSUE OF SRI'S 

PATENTS-IN-SUIT FOR 35 U.S.C. § 103, pp. 1-127, November 15, 2005. 
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INTERROGATORY NO. 11, SRI International, Inc., a California Corporation v. Internet Security Systems, Inc., a 
Delaware Corporation, Internet Security Systems, Inc., a Georgia Corporation and Symantec Corporation a 
Delaware Corporation, pp.1-17, Certificate of Service dated March 28, 2006. 
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SRI INTERNATIONAL, INC.'S RESPONSES TO DEFENDANTS ISS-GA'S SECOND SET OF 
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Delaware Corporation, pp. 1-54, Certificate of Service dated December 15, 2005 
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All GrIDS software is in the form of modules with 
a standardized interface. The modules are started, 
stopped, and controlled by a module controller pro- 
cess located on each host. 

Each department has two special modules: the 
software manager and the graph engine. The soft- 
ware manager is responsible for managing the state 
of the hierarchy and the distributed modules. The 
hierarchy is re-arranged dynamically by drag-and- 
drop in a user interface, and starting and stopping 
particular modules is similarly automated. 

GrIDS data sources are modules that monitor ac- 
tivity on hosts and networks and send reports of 
detected activity to the engine. The activity is re- 
ported in the form of a node or an edge for possible 
inclusion in an activity graph. 

Data sources that are part of GrIDS include net- 
work sniffers and point IDSs (intrusion detection 
systems that work on a single host or LAN). How- 
ever, GrIDS provides an extensible mechanism such 
that other security tools can be incorporated as data 
sources without significant change to the tool or 
GrIDS. 

The graph engine takes input from data source 
modules. The engine builds graphs, and then passes 
summaries of those graphs up to the engine for its 
parent department. The parent engine, in turn, 
builds graphs which have a coarser resolution. 

In addition to the components shown, there are 
user interface modules for allowing human interac- 
tion with the system, management functions, and 
display of alerts. There is also a central organiza- 
tional hierarchy server which has a global view of 
the topology of the hierarchy, and is responsible for 
ensuring that changes to the hierarchy happen in a 
consistent manner. 

2.3 Graph Building 

This section discusses the GrIDS engine, which col- 
lects reports from the data sources and builds them 
into graphs. 

Graphs consist of nodes and directed edges. A 
single graph represents a causally connected set of 
events on the network. Nodes represent hosts or de- 
partments, and edges represent network traffic be- 
tween them. Nodes and edges are annotated with 
attributes that hold supplementary information. In 
addition, a graph has global attributes which main- 
tain state information about the graph as a whole. 

Because GrIDS searches for numerous types of 



network abuse, different kinds of graph are needed, 
Graphs are constructed in a flexible way; users write 
rule sets which specify how graphs are built from re- 
ports. A single graph containing all network activity 
is too awkward to analyze effectively, so GrIDS al- 
lows multiple rule sets. For each rule set it maintains 
a graph space which contains a number of connected 
graphs. A rule set is an executable specification of 
one kind of graph; it determines whether an incom- 
ing report will be incorporated into existing graphs, 
and what the results will be. It also specifies when 
the engine wDl consider a graph as suspicious and 
what actions to take if it is. Rule sets operate inde- 
pendently from one another. ^ 

Each new report is presented to each rule set in the 
form of a partial graph. If the report satisfies the rule 
set's preconditions, the engine considers adding the 
report to the graphs in that rule set's graph space. 

A rule set specifies combining rules (for nodes 
and for edges), to determine if an incoming graph 
should be combined with an existing overlapping 
graph, and how that should occur. Disjoint graphs 
cannot be combined. If a combining condition is 
satisfied on at least one node or edge, then the in- 
coming graph is combined with that existing graph, 
and the graph's attributes are recomputed. Finally, 
if no graph combining occurs, but the incoming re- 
port did pass the preconditions, then it forms a new 
graph in the graph space. 

2.3.1 An Example Rule Set 

Rule sets serve several purposes: to decide if two 
graphs should combine, to compute the attributes 
of the combined graph, and to decide what actions 
to take, if any. Computing the edges and nodes 
in the combined graph is a straightforward matter 
which the engine does automatically. However, since 
it does not know the semantics of user-defined at- 
tributes, the rule set must specify how to combine 
them 

A rule set consists of several sections: t 

• A name 

• Initializations 

• Preconditions 

• Graph combining rules 

• Assessment and actions 
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Abstract 

There is widespread concern that large-scale mali- 
cious attacks on computer networks could cause se- 
rious disruption to network services. We present the 
design of GrIDS (Graph-Based Intrusion Detection 
System). GrIDS collects data about activity on com- 
puters and network traffic between them. It aggre- 
gates this information into activity graphs which re- 
veal the causal structure of network activity. This 
allows large-scale automated or co-ordinated attacks 
to be detected in near real-time. In addition, GrIDS 
allows network administrators to state policies spec- 
ifying which users may use particular services of in- 
dividual hosts or groups of hosts. By analyzing the 
characteristics of the activity graphs, GrIDS detects 
and reports violations of the stated policy. GrIDS 
uses a hierarchical reduction scheme for the graph 
construction, which allows it to scale to large net- 
works. An early prototype of GrIDS has successfully 
detected a worm attack. 

Keywords: Intrusion detection, networks, informa- 
tion warfare, computer security, graphs. 

1 Introduction 

The Internet is increasingly important as the vehi- 
cle for global electronic commerce. Many organiza- 
tions also use Internet TCP/IP protocols to build 

*The work reported here is supported by DARPA under 
contract DOD/DABT 63-93-C-0045. 



intra-networks (intranets) to share and disseminate 
internal information. A large scale attack on these 
networks can cripple important world-wide Internet 
operations. The Internet Worm of 1988 caused the 
Internet to be unavailable for about five days [1]. 
Seven years later, there is no system to detect or an- 
alyze such a problem on an Internet- wide scale. The 
development of a secure infrastructure to defend the 
Internet and other networks is a major challenge. 

In this paper, we present the design of the 
Graph-based Intrusion Detection System (GrIDS). 
GrIDS* design goal is to analyze network activity 
on TCP/IP networks with up to several thousand 
hosts. Its primary function is to detect and ana- 
lyze large-scale attacks, although it also has the ca- 
pability of detecting intrusions on individual hosts. 
GrIDS aggregates network activity of interest into 
activity graphs , which are evaluated and possibly re- 
ported to a system security officer (SSO). The hier- 
archical architecture of GrIDS allows it to scale to 
large networks. 

GrIDS is being designed and built by the authors 
using formal consensus decision-making and a well- 
documented software process. We have completed 
the GrIDS design and have almost finished building 
a prototype. 

This paper is organized as follows. Section 1.1 
briefly describes related work on intrusion detection 
systems and motivates the need for GrIDS. Section 
1.2 discusses classes of attacks that we expect to 
detect. In Section 2.1, the simple GrIDS detection 
algorithm is described, followed by a more detailed 
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